A Guide to the General Data Protection RegulationBy Guest Author
A Guide to the General Data Protection Regulation
By Steve Durbin
The General Data Protection Regulation (GDPR) officially goes into effect in May 2018 and will have an international reach, affecting any organization that handles the personal data of European Union residents. This means that any company holding an individual’s data that moves across EU jurisdictions will be affected—even if the company is not based in Europe. Since the account holder’s data is moving across the jurisdiction, the company is responsible for it.
The GDPR aims to establish uniform data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for this reform, including a lack of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations can completely escape.
However, businesses of all sizes will benefit from the EU-wide uniformity introduced by the reform and will be able to avoid circumnavigating the current array of often-contradictory national data protection laws. Worldwide benefits will accrue as countries in other regions pay more attention to defending mission-critical assets. The GDPR has the potential of serving as a healthy, scalable and exportable system that could become an international benchmark.
The GDPR is not the only data protection obligation with which organization must comply. Therefore, it should be treated as part of a broader data protection management system that encompasses the people, processes and technologies used to control personal data processing.
This can include requirements from a variety of sources, such as local legislation, case law and treaties; sector-specific regulatory requirements; and commercial obligations arising from contractual terms and publicized organizational commitments for personal data processing (e.g., privacy notices and terms and conditions).
These sources, combined with an organization’s values, attitude to risk and compliance demands, largely determine how personal data is protected. Although values, risk and compliance are often in tension, an organization can take a holistic approach, where its values guide the balance between risk and compliance.
Prepare for GDPR Compliance
Before the GDPR begins to be enforced, an organization should have completed its preparations. In doing so, it should ask the following questions:
Have responsibility and funding for GDPR compliance been assigned?
Can the skills to achieve GDPR compliance be deployed, developed or recruited?
Can the requirements of the GDPR be implemented by May 2018?
Demonstrate Compliance With Third Parties
One of the requirements of the GDPR is that a data controller be responsible for the actions of its data processors. The controller should also ensure that the data processors have suitable controls in place to handle personal data in accordance with the GDPR.
Organizations should be able to notify partners of requests to rectify or erase personal data, or to restrict or change the purposes of processing. This will require organizations to review their processing relationships with all third parties and to satisfy themselves that third-party controls and capabilities comply with the GDPR. Similarly, an organization should expect to have to satisfy those third parties of its own controls.
In practice, an organization should have completed its GDPR preparations well before May 2018 to gain assurance from—and provide assurance for—third parties’ requests. This will require resources that have the expertise and time to issue and process those requests. Data protection, legal and information security teams should plan for this task so they will not be overwhelmed with requests closer to the enforcement deadline.
A Guide to the General Data Protection Regulation
Designate a Data Protection Officer
The Information Security Forum (ISF) anticipates that most organizations will need to designate a data protection officer (DPO), and the International Association of Privacy Professionals' (IAPP) research suggests that up to 75,000 new DPOs will be required worldwide
The likely shortage of qualified individuals, coupled with the length of typical corporate hiring cycles, means that organizations that have not yet designated a DPO should do one of three things: start recruitment now, identify an internal candidate and start training him or her, or seek external expertise to fulfill the role requirements.
The GDPR Moves to the Forefront
The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next 18 months will be a critical time for their data protection regimes, as they determine the applicability of the GDPR, as well as the controls and capabilities they will need to manage their compliance and risk obligations.
Because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance. For many, this will require a more coherent incident response process, along with closer cooperation between multiple departments, in particular, the legal unit. This coherence is essential, as Data Protection Authority’s (DPAs) will want to see a transparent rationale for remediation actions taken in response to a data breach.
The cost of non-compliance is certainly going to increase, not only from new sanctions and fines, but also in the court of public opinion. Reporting requirements will steadily push more data breaches into public view, creating reputational risks that many organizations have thus far avoided. Companies that establish themselves as trusted data protectors will benefit commercially.
With reform on the horizon, organizations that are already doing or are planning to do business in Europe should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how it is being stored, who is responsible for it and who has access to it.
Don’t wait for the reform to be instituted. By that time, it will be too late.
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, bring-your-own-device policies, cloud computing, and social media across the corporate and personal environments. Previously, he was a senior vice president at Gartner.